# Full TLS Setup
Transport Layer Security, or TLS can be used to provide a secure communications
channel between Ubqt servers and clients, and is also optional for use in many
Ubqt services that connect to internet resources.
## Certificates, Keys
Ubqt uses certificate and key pairs to establish TLS connections.
In order to connect securely, we need to create a certificate and key on both the
server, and the client.
Related reading:
- https://en.wikipedia.org/wiki/Public_key_certificate
- https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange
## Server
In many applications, self-signed certificates are unwanted, due to the
client/server trust being broken. However, for most common ubqt installations,
the same authority manages both sides. (You!)
To use Certificate Authorities, such as Let's Encrypt is also possible, and will
be covered in future versions of this guide.
For systems with openssl, generating a self-signed key/pair can be done as
follows:
`openssl req -newkey rsa:4096 -nodes -sha512 -x509 -days 3650 -nodes -out
-etc/ssl/certs/ubqt.pem -keyout /etc/ssl/private/ubqt.pem`
This will create the two named files, and the server will look for each under that
specific name, if none is provided on the command line.
To sign client certificates, we need a Certificate Signing Request file, for
example:
`openssl req -new -eky /etc/ssl/private/ubqt.pem -out /etc/ssl/certs/ubqt.csr`
### Plan9
Refer to http://man.cat-v.org/9front/8/rsa
A full guide coming soon!
Servers will prefer the factotum whenever possible for key values,
## Client
Here, we create and sign client certificates against our server's root
certificate, created above:
```
# Create the client key
openssl genrsa -out myclient.key 4096
# Create a client sign request
openssl req -new -key myclient.key -out myclient.csr
# Sign the request to create a valid cert
# We'll make it last 1024 days
openssl x509 -req -in myclient.csr -CA /etc/ssl/certs/ubqt.pem -CAkey
/etc/ssl/private/ubqt.pem -CAcreateserial -out myclient.pem -days 1024 -sha512
```
### Plan9